A severe security vulnerability in OnePlus OxygenOS has been discovered that allows any installed application to read SMS and MMS messages without requesting permission or notifying users. 

The flaw, designated CVE-2025-10184, affects multiple OnePlus devices running OxygenOS versions 12 through 15, potentially compromising SMS-based multi-factor authentication (MFA) systems and exposing sensitive personal communications to unauthorized access.

Cybersecurity firm Rapid7 identified this permission bypass vulnerability across several OnePlus smartphone models, including the OnePlus 8T, OnePlus 10 Pro 5G, and potentially other devices in the ecosystem. 

The vulnerability stems from improperly secured internal content providers within the Android Telephony package (com.android.providers.telephony) that can be exploited through SQL injection techniques.

OnePlus OxygenOS Vulnerability

The vulnerability exploits Android’s content provider system, which manages structured data access across applications. 

OnePlus introduced three additional exported content providers in their OxygenOS implementation that are not present in stock Android: PushMessageProvider, PushShopProvider, and ServiceNumberProvider. 

These providers contain inadequate permission controls and lack proper SQL injection protections.

The most critical flaw exists in the ServiceNumberProvider class, where the update method accepts arbitrary SQL code through the where parameter without sanitization. 

Malicious applications can exploit this weakness to perform blind SQL injection attacks, utilizing Boolean inference techniques to extract SMS data character by character from the device’s message database, as the report states.

The exploitation process involves crafting SQL queries with UNION SELECT statements and substr functions to systematically extract message contents. 

This vulnerability presents significant security implications beyond simple message interception. 

The flaw effectively bypasses Android’s READ SMS permission system, allowing malicious applications to access SMS data silently without user consent or system notifications. 

Most critically, this compromises SMS-based MFA systems used by banking applications, social media platforms, and other security-sensitive services.

Mitigations

The vulnerability affects OxygenOS versions 12, 14, and 15 across multiple device models. Notably, the OxygenOS 11 versions tested were not vulnerable, suggesting the security flaw was introduced during the OxygenOS 12 development cycle in 2021. 

Rapid7 estimates the issue could affect surveillance activities by state-sponsored adversaries and authoritarian regimes seeking to monitor communications.

OnePlus has remained unresponsive to Rapid7’s disclosure attempts since May 2025, leading to public disclosure without vendor coordination. 

Users can mitigate exposure by removing non-essential applications, transitioning from SMS-based MFA to authenticator applications, and utilizing end-to-end encrypted messaging platforms for sensitive communications until OnePlus releases security patches addressing CVE-2025-10184.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post OnePlus OxygenOS Vulnerability Allows Any App to Read SMS Data Without Permission appeared first on Cyber Security News.

A critical vulnerability in the Salesforce CLI installer (sf-x64.exe) enables attackers to achieve arbitrary code execution, privilege escalation, and SYSTEM-level access on Windows systems. 

Tracked as CVE-2025-9844, the flaw stems from improper handling of executable file paths by the installer, allowing malicious files to be executed in place of legitimate binaries when the software is obtained from untrusted sources.

Path Hijacking Vulnerability (CVE-2025-9844)

The vulnerability exploits how the Salesforce-CLI installer resolves file paths during installation. When sf-x64.exe runs, it loads several auxiliary executables and DLLs from the current working directory before falling back to the directory containing the installer. 

An attacker who places a crafted executable named identically to a legitimate component (for example, sf-autoupdate.exe or sf-config.dll) in the same folder can cause the installer to load and execute the attacker’s code. 

Because the installer runs with elevated privileges by default, writing registry keys under HKLM and creating services under LocalSystem, the injected code inherits SYSTEM-level privileges, enabling complete takeover of the host machine.

Upon execution, the installer loads the rogue sf-autoupdate.exe, which escalates privileges by creating a reverse shell service under the LocalSystem account. The attacker then uses the shell to execute commands and successfully retrieves SYSTEM-level output.

Affected Versions and Mitigation

All Salesforce-CLI versions prior to 2.106.6 are impacted by this path hijacking vulnerability. 

Importantly, only users who install the CLI from untrusted mirrors or third-party repositories are at risk; installations directly downloaded via the official Salesforce site use a signed installer that enforces strict path resolution and integrity checks.

To remediate, affected users should immediately uninstall any CLI version obtained from unverified sources and perform a thorough system scan for unknown executables or suspicious services. 

Salesforce has released version 2.106.6, which fixes the issue by hard-coding absolute file paths and validating digital signatures before loading supplementary executables. 

Administrators are advised to enforce installation from trusted endpoints only and to enable Microsoft Defender Application Control (MDAC) policies to restrict execution of unauthorized binaries in installation directories. 

Continuous monitoring of system event logs for unexpected service creation or installer execution under non-standard paths will help detect attempted exploits early.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Salesforce CLI Installer Vulnerability Let Attackers Execute Code and Gain SYSTEM-Level Access appeared first on Cyber Security News.

Libraesva has issued an emergency patch for a significant command injection vulnerability in its Email Security Gateway (ESG) after confirming state-sponsored hackers exploited it.

The flaw, identified as CVE-2025-59689, allowed attackers to execute arbitrary commands by sending a malicious email with a specially crafted compressed attachment. The company responded by deploying an automated fix to customers within 17 hours of discovering the active exploitation.

The vulnerability originates from improper sanitization when the ESG product processes certain compressed archive formats. Attackers could construct a malicious email attachment that, when scanned by the gateway, would bypass security checks and allow the injection of shell commands.

A successful exploit would grant the attacker the ability to execute arbitrary commands on the affected system, albeit as a non-privileged user.

From there, the actor could potentially engage in lateral movement, establish persistence, or attempt to escalate privileges. The flaw impacts all Libraesva ESG versions from 4.5 onwards.

Confirmed State-Sponsored Attack

Libraesva confirmed at least one incident where the vulnerability was actively abused in the wild. The company attributes the attack to a “foreign hostile state entity,” highlighting the sophisticated nature of the threat actor.

According to Libraesva, the targeted nature of the attack, which focused on a single appliance, underscores the precision and strategic intent of the adversary.

This targeted approach suggests the attackers were not conducting a widespread campaign but rather a focused operation against a specific organization.

In response to the exploit, Libraesva took swift action, developing and deploying a patch in just 17 hours. The emergency update was automatically pushed to all cloud-based and on-premise ESG appliances running version 5.x.

The comprehensive patch not only addressed the root sanitization flaw but also included an automated scanner to detect Indicators of Compromise (IoCs) and a self-assessment module to verify the patch’s integrity.

Libraesva has provided the following guidance for its customers:

• Cloud Customers: All cloud appliances have been automatically updated, and no further action is required.
• On-Premise 5.x Customers: These appliances should have received the automatic update. Administrators are advised to verify that their system is running a patched version.
• On-Premise 4.x Customers: Versions below 5.0 are End of Support (EOS) and did not receive the automatic patch. These customers must manually upgrade to a supported 5.x version to protect their systems from this exploited vulnerability.

The fixes are available in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. Given the active exploitation by a nation-state actor, organizations using Libraesva ESG are urged to ensure their appliances are running a patched version immediately.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Exploiting Libraesva Email Security Gateway Vulnerability to Inject Malicious Commands appeared first on Cyber Security News.